Refine by MP, party, committee, province, or result type.
Information & Ethics committee Sure. Right now, when an organization is the subject of a complaint, the Office of the Privacy Commissioner will commence and carry out an investigation. At the conclusion of that investigation, it will issue a report of findings. These are non-binding findings, and there are exp
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I think it's fair for due process to have rights for organizations balanced. The whole statute is predicated on a balancing. Privacy under PIPEDA is not an absolute right. There's a balance in the preamble of the act and in section 5.3 of the act for the protection of privacy int
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee Yes, those compliance agreements are voluntary for organizations to enter into. There are certain reasons it would make sense for organizations to enter into them with the OPC, like a binding agreement, just as you would have in the private sector, so that would make sense in its
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee We've had to work on several dozen client mandates in which we were dealing with concepts in the EU, with global companies, and importing them. These are very tricky, and what seemed to be the case in every single context is that that was unnecessary for the protection of privacy
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee Yes. We recommend having something similar to what exists in provincial privacy statutes: an express deemed authorization for organizations to be able to de-identify. I would suggest that the frameworks already exist. If an individual or a corporation were to be re-identifying so
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee Yes, thank you. It's a critically important question. There are elements to a valid consent, whether expressed or implied. One of the elements required is that the consent be revocable. For instance, if you provide your consent for secondary marketing, there is the obligation to
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I want to clarify if the question is whether there are recommendations for helping organizations respond to incidents that would be incorporated into the statutory regime or it is a more general question.
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee As the committee is aware, we've had these discussions, and PIPEDA has a pending statutory security breach notification requirement, which will come into effect once the regulations are put out for comment and then ultimately implemented. One of the comments that industry has ma
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I would just reiterate that in dealing personally with scores of investigations, I have found that there is a benefit to having an ombudsman model that can be unleashed to have even greater benefits, to allow for what I would call a conversation. Unlike other types of statutes in
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I'm happy to answer that. In the context of numerous client engagements, we've had to address that exact issue. The best place to start, actually, is with your reference to COPPA. Under PIPEDA, as we've heard throughout the afternoon, there's a consent-based requirement. Indivi
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I have two comments. With respect to your first question, I think there are times when it seems as though it would be helpful to have different age gates for different types of scenarios, but given the explosion of the array of different types of services and offerings and cont
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I agree with both colleagues. Striking a balance is difficult. I'm not sure that the answer is necessarily embedding that principle within a statutory framework. There is an existing framework right now that allows for respectful treatment of the life cycle of data, including da
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee I'd be pleased to do so. We offered four. All of them relate to the ability to process certain data—to collect, use, and disclose personal information—without consent. One of them, as mentioned by my colleague as well, was to create an exception for legitimate interest. This wou
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee Number two, there's currently an exception under PIPEDA in paragraph 7(2)(c) for the use of data for statistical and scholarly study and research. It's just for the use of data. The wording, in my view, allows for the conducting, for example, of analytics, which is a form of rese
May 30th, 2017Committee meeting
Adam Kardash
Information & Ethics committee Finally I mentioned, consistent with my colleagues, that organizations now engage in a practice referred to as de-identification or anonymization or obfuscation, which is extraordinary helpful to protect the privacy interests of individuals while it's processing, but it protects
May 30th, 2017Committee meeting
Adam Kardash